Forms authentication with requireSSL=true not returning cookie with Secure attribute

Question

I'm seeing a strange response from our IIS site now that we've upgraded the host from Win2K3/IIS6 to Win2k8R2/IIS7.5. ASP.Net version 4.0

We have a significantly complex and mature web application that uses Forms Authentication with the following config:

<authentication mode="Forms">
  <forms loginUrl="~/Login" timeout="2000" domain="xx.xx.com" requireSSL="true" />
</authentication>

The Login URL directs to an ASP.Net MVC 3 page properly configured for SSL.

The site behaved as expected in IIS6, but ever since the host migration, upon successful login the auth cookie in the response header is missing the Secure and HttpOnly attributes. This is problematic as we have a mixed content site with many HTTP pages. The auth cookie is now sent in every request, not just in requests over HTTPS and is now open to a session stealing vulnerability.

Our Logoff link successfully sends a zero length cookie that does include the Secure and HttpOnly attributes.

Here's the raw responses after successful login and logoff from Fiddler, edited to protect the innocent :)

Login Response:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Set-Cookie: .ASPXAUTH=83FCCA...102D; domain=xx.xx.com; path=/
Date: Fri, 25 Jan 2013 22:53:31 GMT
Content-Length: 84

{...}


Logoff Response:

HTTP/1.1 302 Found

Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://xx.xx.com/?...
Set-Cookie: .ASPXAUTH=; domain=xx.xx.com; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; secure; HttpOnly
Set-Cookie: logoff=; path=/
Set-Cookie: ...
Date: Fri, 25 Jan 2013 22:57:01 GMT
Content-Length: 64053

<html><head><title>...

Changing the Integrated Pipeline setting of the app pool has no effect.

Here are the important parts of the cookie creation code:

    var ctx = HttpContextFactory.Current;

    var cookie = new HttpCookie(
        FormsAuthentication.FormsCookieName,
        FormsAuthentication.Encrypt(
            new FormsAuthenticationTicket(
                SessionId,
                false,
                Convert.ToInt32(FormsAuthentication.Timeout.TotalMinutes)
            )
        )
    ) { Domain = domain };

    ctx.Response.Cookies.Add(cookie);

Any thoughts on where to start looking for what's causing this?

Answer 1

When you are emitting the forms authentication cookie all that you are setting is the domain name. I cannot see you setting the secure flag anywhere. So if you want your cookie to be set with the secure and httponly flag make sure you have specified them when creating this cookie:

var cookie = new HttpCookie(
    FormsAuthentication.FormsCookieName,
    FormsAuthentication.Encrypt(
        new FormsAuthenticationTicket(
            SessionId,
            false,
            Convert.ToInt32(FormsAuthentication.Timeout.TotalMinutes)
        )
    )
) 
{ 
    Domain = domain,
    HttpOnly = true,
    Secure = FormsAuthentication.RequireSSL
};

Since you are creating the forms authentication cookie manually (instead of using FormsAuthentication.SetAuthCookie or FormsAuthentication.GetAuthCookie built-in methods) the settings in your web.config have no effect. You need to explicitly set them as shown in my example.